|
|
|
This command line tool can be used to view keyring files, create keyring files, and import certificates of all kinds into keyring files. It uses the Notes C API and can be run against any 8.5.x or 9.x IBM Notes/Domino installation, but can only be used with SHA-2 certiifcates in 9.x, and can only be used to import and delete trusted roots with interim fix 9.0 IF6 or 9.0.1 FP2 IF1.
To install, uncompress the zip file in your Notes/Domino program directory. In order to run on Windows, launch "kyrtool.exe" as shown below. To run on Linux, launch "/opt/ibm/domino/bin/tools/startup kyrtool" as shown below. The exact path to the "startup" command on Linux will vary based on your Notes/Domino installation path. If the tool is not being run from the same directory as your notes.ini file, the "=/path/to/notes.ini" parameter is required as shown below.
Download link for kyrtool:
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ELotus&product=ibm/Lotus/Lotus+Domino&release=9.0.1.2&platform=All&function=fixId&fixids=KYRTool_9x_ClientServer&includeSupersedes=0&source=fc
Displaying the top level help text on Windows:
[C:\] kyrtool =c:\lotus\notes\notes.ini -h
KyrTool v1.0
kyrtool [=/path/to/notes.ini] command [subcommand] [flags]
Commands:
create Create a new keyring file
delete Delete a root in a keyring file
import Import into a keyring file
show Show information about a keyring file
verify Verify the content of a PEM import file
Use 'kyrtool [command] -h' to view help for each command.
The keyring password is stored in the STH file and will be
automatically read when using an existing keyring file.
Displaying the top level help text on Linux:
[~]$ /opt/ibm/domino/bin/tools/startup kyrtool =/home/domino/notesdata/notes.ini -h
KyrTool v1.0
kyrtool [=/path/to/notes.ini] command [subcommand] [flags]
Commands:
create Create a new keyring file
delete Delete a root in a keyring file
import Import into a keyring file
show Show information about a keyring file
verify Verify the content of a PEM import file
Use 'kyrtool [command] -h' to view help for each command.
The keyring password is stored in the STH file and will be
automatically read when using an existing keyring file.
[C:\] kyrtool =c:\lotus\notes\notes.ini create -h
KyrTool v1.0
kyrtool create [flags]
Creates a new Domino SSL keyring file
'Create' flags:
-h Display this help message and exit
-k Path to keyfile (Mandatory)
-p Keyring password (Mandatory)
-v Verbose mode; repeating increases verbosity level
[C:\] kyrtool =c:\lotus\notes\notes.ini show -h
KyrTool v1.0
Show information about an existing Domino SSL keyring file
kyrtool show certs [flags]
-c Also show DER encoding of certs
-i arg Input PEM file
-k arg Path to keyfile
One of -i or -k must be present
-o Check cert chain via OCSP (-i only)
kyrtool show keys [flags]
-i arg Input PEM file (*)
-k arg Path to keyfile (*)
One of -i or -k must be present
kyrtool show policy [flags]
-k arg Path to keyfile (Mandatory)
kyrtool show roots [flags]
-c Also show DER encoding of certs
-k arg Path to keyfile (Mandatory)
-n Also show DER encoding of names
-v At least one '-v' will display PEM encoding of certs for roots.
Common 'show' flags:
-h Print this help message
-v Verbose mode; repeating increases verbosity levels
By default 'show roots' will only output the names stored for the
root certificates; use '-v' to show the actual root certificates.
The API used for 'show keys' can only display key pairs that are
associated with a certificate.
[C:\] kyrtool =c:\lotus\notes\notes.ini import -h
KyrTool v1.0
Imports keys and certificates into a Domino SSL keyring file
kyrtool import all [flags]
-i arg Input PEM file (Mandatory)
-k arg Path to keyfile (Mandatory)
kyrtool import roots [flags]
-i arg Input PEM file (Mandatory)
-k arg Path to keyfile (Mandatory)
kyrtool import keys [flags]
-i arg Input PEM file (Mandatory)
-k arg Path to keyfile (Mandatory)
-n arg Distinguished name
kyrtool import certs [flags]
-i arg Input PEM file (Mandatory)
-k arg Path to keyfile (Mandatory)
Common 'import' flags:
-h Print this help message
-v Verbose mode; repeating increases verbosity levels
'import all' will import an RSA keypair and the server's certificate chain into the
keyring file. The input file must contain a '-----BEGIN RSA PRIVATE KEY-----' and
at least one '-----BEGIN CERTIFICATE-----' PEM blob.
This operation combines the functionality of 'import keys' and 'import certs'
without the need to correctly specify a distinguished name.
The 'kyrtool verify file.pem' command can be used to check the file before importing.
'import roots' will import one or more certificates into the keyring file as trusted roots.
The input file must contain one or more '-----BEGIN CERTIFICATE-----' PEM blobs.
'import keys' will import an RSA keypair into the keyring file, but requires
the distinguished name from the leaf cert (CN=www.example.com) as input.
The input file must contain a '-----BEGIN RSA PRIVATE KEY-----' PEM blob.
'kyrtool show keys -i file.pem' can be used to check the file before importing.
'import certs' will import the server's certificate chain into the keyring file.
The input file must contain one or more '-----BEGIN CERTIFICATE-----' PEM blobs.
The certificate chain must be ordered with the leaf first and the root last.
'kyrtool show certs -i file.pem' can be used to check the file before importing.
[C:\] kyrtool =c:\lotus\notes\notes.ini delete -h
KyrTool v1.0
Delete root certificate from a Domino SSL keyring file
kyrtool delete root [flags]
-k arg Path to keyfile (Mandatory)
-# arg Index of trusted root to delete. Index is displayed in the show roots command(Ma
ndatory)
-h Print this help message
-v Verbose mode; repeating increases verbosity levels
KYRTool Fix History:
1.0 Original Release: Nov 3, 2014
1.1 Bug Fix Release: Apr 2, 2015
>DKEN9U5UEX - Fix crash if pem file provided as input file has embedded nulls
>KLYH9UBNGW - Add Sha 256 Pinning to the kyrtool - displaying the digest on show commands
>MKIN9QHT5W - Fix kyrtool crashing when attempting the create command and giving an existing directory for the keyfile name
>DKEN9RVQGD - Fix kyrtool sometimes erroring on import all command |